Security Operations Centers (SOCs) Are Now Becoming Detection and Response Organizations
More organizations are producing and consuming cyber threat intelligence than ever before, and those measuring the effectiveness of their CTI programs is higher than ever – jumping from 4% in 2020 to 38% in 2021, according to the SANS 2021 Cyber Threat Intelligence (CTI) Survey. However, a few areas where CTI adoption seems to be lacking are in integration, automation and operationalizing threat intelligence. The report find that teams rely on automation in the SIEM more, which is likely the reason why CTI adoption trails in these areas. SIEMs have been around for decades, designed to replace manual log correlation to identify suspicious network activity by normalizing alerts across multiple technology vendors. SIEMs were never designed to handle the full threat intelligence management use case or integrate with and handle the volume of data from modern security tools and technologies, like Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Cloud Detection and Response (CDR).
The center of gravity of the Security Operations Center (SOC) used to be the SIEM. But now this is shifting as the mission of the SOC shifts to become a detection and response organization. Detection and response capabilities are not siloed in single tools but extend across the entire ecosystem. What’s needed is a platform that can integrate with multiple, different internal and external threat and event data sources (including from the SIEM) and support bi-directional integration with the sensor grid. A platform with this type of capability holds the key to accelerating security operations and enables the modern SOC to deliver on its mission.
We can look at the SolarWinds Orion security breach, a.k.a. SUNBURST, for an example of how such a platform can help.
When SUNBURST made the headlines, security teams around the globe were bombarded with questions from their leadership team: What do we know about the breach? Were we impacted? If so, how can we mitigate risk? If not, what can we do to protect ourselves moving forward? Information and preventative measures flooded the security community, from a variety of sources and in a variety of formats—including news articles, blogs and security industry reports, MITRE ATT&CK techniques, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules and Snort signatures. It was also important to understand the context of the available information. Given the organization’s environment, technology stack, network architecture and risk profile, what was the most relevant and high priority information to focus on to mitigate risk?
Let’s start with detection. Security teams needed to gain an understanding of the threat quickly, investigate the impact, make decisions and determine what actions to take. Using the platform to automatically aggregate, normalize and deduplicate data from any source – structured or unstructured, internal or external – they could create a central repository of what was known. Correlating events and associated indicators from inside their environment (from sources including the SIEM, log management repository, case management system and security infrastructure) with external data on indicators, adversaries and their methods, provided context to understand the who, what, where, when, why and how of an attack. Changing risk scores and prioritizing threat intelligence based on parameters they set around indicator source, type, attributes and context, as well as adversary attributes, allowed them to automatically filter out what’s noise and focus on what really matters to the organization rather than wasting time and resources chasing ghosts.
Now for response. With a complete picture of the attack with context, security teams could enable the data as part of their infrastructure and operations, with the flexibility to do so manually, automatically or some combination. They could see who else within the organization needed to consume and understand this data – the network security team, threat intelligence analysts, threat hunters, forensics and investigations, management, etc. – and share it. They could export the data to their existing infrastructure allowing those technologies to perform more efficiently and effectively – delivering fewer false positives. And they could send the right data back to the right tools across the sensor grid (firewalls, IPS/IDS, routers, web and email security, NDR, EDR, etc.) to generate and apply updated policies and rules to mitigate risk.
In the days, weeks and months that follow, security teams can rely on the platform to continuously and automatically reevaluate and reprioritize as new data, learnings and observations come in. From tactical intelligence that can be used to create block lists or deploy signatures, to operational intelligence on what techniques are used and tools to watch for, and strategic intelligence to identify possible threat actors and what they are after. They can remain confident that they are focused on the right priorities, addressing incidents faster, and making more informed decisions.
With a modern platform designed for integrating, automating and operationalizing intelligence, we can start to achieve new levels of effectiveness of CTI programs, including measurable and positive impact on time to detection and response. Given that SOCs are now becoming detection and response organizations, isn’t that the metric that ultimately matters?